FAR 52.204-21 and CMMC 2.0 Level 1 (control MP.L1-B.1.VII, Code 550) require contractors to sanitize or destroy media containing Federal Contract Information (FCI) before disposal or reuse; this post gives a practical, step-by-step checklist tailored for small businesses to implement that requirement reliably, defensibly, and efficiently.
Implementation checklist — overview
Begin implementation by treating sanitization as a process, not a one-off task: inventory media, classify FCI-containing assets, establish policies and roles, select sanitization methods based on media type, verify and document outcomes, and maintain records (including certificates of destruction) for audit and contract compliance. The approach below follows the NIST SP 800-88 Rev. 1 model—Clear, Purge, Destroy—which aligns with both FAR and CMMC expectations.
1) Inventory and classification
Step 1: Build an asset inventory that explicitly tags media types that may contain FCI—laptops, desktops, removable USB drives, external HDD/SSDs, backup tapes, network-attached storage (NAS), printers/copiers with internal drives, mobile devices, and cloud storage. Use a simple spreadsheet or a lightweight inventory tool to capture owner, location, data classification (FCI or not), last use date, and retention/ disposition date. For small businesses, even a shared Google Sheet with controlled access is sufficient if you log changes and back it up.
2) Policy, roles, and procedures
Create a short written procedure that states: who is authorized to approve media disposal, how sanitization decisions are made (clear vs. purge vs. destroy), required verification steps, and how to document completion. Assign roles: Media Owner (usually the project lead), IT Executor (staff or vendor doing the sanitization), and Compliance Approver (person signing-off). Include basic employee guidance in onboarding—how to tag media for destruction and the process for returning devices at termination.
3) Choose correct sanitization methods and technical controls
Select methods by media type and follow NIST SP 800-88 guidance: For magnetic HDDs, "Clear" (overwrite with secure software) is often adequate for reuse; "Purge" (degaussing) or "Destroy" (physical shredding) for disposal. For SSDs and flash media, do not rely on simple overwrite—use vendor secure-erase commands (ATA Secure Erase via hdparm, NVMe Secure Erase/Format, or manufacturer tools) or cryptographic erase (destroying encryption keys) as the preferred purge methods; otherwise physically destroy. For mobile devices, encrypt the device (full-disk encryption or platform default) and then perform a factory reset and key destruction; where possible use MDM to trigger secure wipe. For cloud-hosted backups or SaaS, require proof of deletion or rely on provider APIs that support secure deletion and retention-policy enforcement. Always verify successful completion (see next section).
4) Practical small-business examples and scenarios
Example A — Returning laptop: Before redeploying a contractor laptop, IT checks the inventory tag, backs up non-FCI data, performs a full-disk wipe using a known tool (example: vendor secure-erase or a vetted disk-wiping utility that uses a single pass overwrite verified by the tool), reimages, and logs the serial number and wipe completion. Example B — Office copier: When replacing a multifunction printer, treat the internal storage as potential FCI; either remove the drive and physically destroy it or request the OEM perform and certify a secure purge; record the certificate of destruction. Example C — USB drives found in an office drawer: Quarantine, verify whether they hold FCI, and if so, physically destroy (shredding) or securely purge; do not reformat and reuse without documented verification. These lightweight, repeatable steps scale for small teams and can be integrated into routine offboarding and equipment refresh workflows.
5) Verification, records, and chain of custody
Verification is essential for compliance. For sanitized drives, maintain logs with media serial numbers, method used (software overwrite, ATA secure erase, physical destruction), date, executor, and a verification signature. For physical destruction, obtain a Certificate of Destruction (CoD) from the vendor that includes chain-of-custody details and method (shredding, crushing). For cryptographic erase, retain logs showing key destruction events and device IDs. Periodically audit a sample of sanitized media (e.g., attempt a forensic recovery on a sampling of sanitized devices using a third-party tool) to validate your processes—document these audits and any corrective actions.
6) Risks, compliance tips, and best practices
Failing to sanitize or destroy FCI can lead to data exposure, contract breaches, debarment risk, and reputational damage. Practical best practices: encrypt all devices at acquisition (this reduces risk and simplifies sanitization via crypto-erase), use vendor-provided secure erase tools for SSDs, include sanitization clauses in supplier and disposal contracts, label media slated for destruction and segregate it securely until processed, train staff on procedures (especially for copier returns and USB handling), and keep documented evidence for FAR/CMMC audits. Avoid outdated advice like multi-pass overwrites for SSDs—follow NIST SP 800-88 guidance that reflects modern storage technology.
Implementing MP.L1-B.1.VII (Code 550) is achievable for small businesses with disciplined inventory and lightweight procedures: encrypt by default, select the appropriate sanitization method per media type, verify and document all actions, and use certified destruction vendors when physically destroying media. These practical steps reduce risk, support contract compliance, and keep your organization audit-ready.
